From 765a16fb383d8ddd52b4b5b354f639f4c5296f1e Mon Sep 17 00:00:00 2001 From: Wesley B <62723358+wesleyboar@users.noreply.github.com> Date: Mon, 5 Jan 2026 12:30:34 -0600 Subject: [PATCH 01/12] fix: embed video position is wrong --- poetry.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/poetry.lock b/poetry.lock index 3d87dd73..3ae96529 100644 --- a/poetry.lock +++ b/poetry.lock @@ -266,14 +266,14 @@ cache = ["platformdirs"] [[package]] name = "mkdocs-tacc" -version = "1.0.1" +version = "1.0.2" description = "TACC-specific MkDocs theme" optional = false python-versions = "<3.13,>=3.10" groups = ["main"] files = [ - {file = "mkdocs_tacc-1.0.1-py3-none-any.whl", hash = "sha256:f14ac8d3833bb43447cdb91210f6179e85fe5bef92f7d948ac9c50e41ec8e6c0"}, - {file = "mkdocs_tacc-1.0.1.tar.gz", hash = "sha256:08b8e0b1ab5bdcdfea493c2f18077723b36569afdd71a23a5d097fb7942799ea"}, + {file = "mkdocs_tacc-1.0.2-py3-none-any.whl", hash = "sha256:2beb36590dc00ec8f815ba59bcf6a3e876ffe2106bcc4a235db9ea04cb2a1601"}, + {file = "mkdocs_tacc-1.0.2.tar.gz", hash = "sha256:9eb65c4701206fdc17ebbc2555c2750ef3de8de64ed3142b0e45f5df32390e4e"}, ] [package.dependencies] From 6a20890710bf36e513b897c59132a4bca5f81223 Mon Sep 17 00:00:00 2001 From: Wesley B <62723358+wesleyboar@users.noreply.github.com> Date: Mon, 5 Jan 2026 12:40:41 -0600 Subject: [PATCH 02/12] fix: poetry.lock should trigger requirements sync --- .github/workflows/requirments-sync.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/requirments-sync.yml b/.github/workflows/requirments-sync.yml index 2c38f60f..7a163c12 100644 --- a/.github/workflows/requirments-sync.yml +++ b/.github/workflows/requirments-sync.yml @@ -3,7 +3,7 @@ name: Sync requirements.txt with pyproject.toml on: pull_request: - paths: ['pyproject.toml'] + paths: ['pyproject.toml', 'poetry.lock'] types: [opened, synchronize, reopened] permissions: From 574beabadf53b7584fe87df6746d060d6453990f Mon Sep 17 00:00:00 2001 From: Wesley B <62723358+wesleyboar@users.noreply.github.com> Date: Mon, 5 Jan 2026 12:47:25 -0600 Subject: [PATCH 03/12] fix: requirements sync not installing deps --- .github/workflows/requirments-sync.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/requirments-sync.yml b/.github/workflows/requirments-sync.yml index 7a163c12..bc76c506 100644 --- a/.github/workflows/requirments-sync.yml +++ b/.github/workflows/requirments-sync.yml @@ -32,6 +32,9 @@ jobs: - name: Install Poetry run: pip install poetry + - name: Install Dependencies via Poetry + run: poetry install --only main --no-root + - name: Detect whether requirements.txt has change id: detect run: | From 56137e6a7d6373455424a307471178d6ce213367 Mon Sep 17 00:00:00 2001 From: Wesley B <62723358+wesleyboar@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:04:37 -0600 Subject: [PATCH 04/12] fix: force make requirements.txt to run --- Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index b4707b08..2c7fc776 100644 --- a/Makefile +++ b/Makefile @@ -2,6 +2,10 @@ DOCKER_COMPOSE_CMD := $(shell if command -v docker-compose > /dev/null; then echo "docker-compose"; else echo "docker compose"; fi) +# To regenerate requirements.txt from poetry.lock +# CAVEAT: Using .PHONY to skip Make's dependency check +# of poetry.lock until it is reliable or proven useless +.PHONY: requirements.txt requirements.txt: poetry.lock pip install --user poetry-plugin-export \ && poetry export -f requirements.txt --output requirements.txt \ From d5d9f54c33a5252359c1e4ddb33ab8c4a5d96724 Mon Sep 17 00:00:00 2001 From: Wesley B <62723358+wesleyboar@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:07:09 -0600 Subject: [PATCH 05/12] fix: only sync if poetry.lock changes A change to pyproject alone can be unrelated to dependencies. A change to poetry.lock is definitely a change to dependencies. --- .github/workflows/requirments-sync.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/requirments-sync.yml b/.github/workflows/requirments-sync.yml index bc76c506..e9cab15a 100644 --- a/.github/workflows/requirments-sync.yml +++ b/.github/workflows/requirments-sync.yml @@ -3,7 +3,7 @@ name: Sync requirements.txt with pyproject.toml on: pull_request: - paths: ['pyproject.toml', 'poetry.lock'] + paths: ['poetry.lock'] types: [opened, synchronize, reopened] permissions: From f0128ad5e5711bd35dc32ee9fd3a10efad960bca Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 5 Jan 2026 19:08:23 +0000 Subject: [PATCH 06/12] chore: auto-update requirements.txt [bot] --- requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.txt b/requirements.txt index df45f168..38817e26 100644 --- a/requirements.txt +++ b/requirements.txt @@ -115,9 +115,9 @@ mkdocs-exclude-search==0.6.6 ; python_version >= "3.10" and python_version < "3. mkdocs-include-markdown-plugin==5.1.0 ; python_version >= "3.10" and python_version < "3.13" \ --hash=sha256:4a1b8d79a0e1b6fd357ca8013a6d1701c755ada4acb74ee97b0642d1afe6756e \ --hash=sha256:e9ca188ab1d86f5fc4a6b96ce8c85acf6e25f114897868041056ec7945f29f65 -mkdocs-tacc==1.0.0 ; python_version >= "3.10" and python_version < "3.13" \ - --hash=sha256:5d9f1d4a4b871526f74e92bda8eb52584ece817d1eef5d4064ef40fe6adcf99d \ - --hash=sha256:cbd107eab1ff1659bc164c84f17055f367097a0b3dfe2ec3b41ef34850f7181c +mkdocs-tacc==1.0.2 ; python_version >= "3.10" and python_version < "3.13" \ + --hash=sha256:2beb36590dc00ec8f815ba59bcf6a3e876ffe2106bcc4a235db9ea04cb2a1601 \ + --hash=sha256:9eb65c4701206fdc17ebbc2555c2750ef3de8de64ed3142b0e45f5df32390e4e mkdocs==1.4.3 ; python_version >= "3.10" and python_version < "3.13" \ --hash=sha256:5955093bbd4dd2e9403c5afaf57324ad8b04f16886512a3ee6ef828956481c57 \ --hash=sha256:6ee46d309bda331aac915cd24aab882c179a933bd9e77b80ce7d2eaaa3f689dd From faeae2218b04de95e7ea84b2f004ac94075a0061 Mon Sep 17 00:00:00 2001 From: Wesley B <62723358+wesleyboar@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:26:03 -0600 Subject: [PATCH 07/12] fix: bypass error, cuz req's edit was via merge --- .github/workflows/validate-requirements.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/validate-requirements.yml b/.github/workflows/validate-requirements.yml index 420c6133..9f1d8259 100644 --- a/.github/workflows/validate-requirements.yml +++ b/.github/workflows/validate-requirements.yml @@ -22,9 +22,10 @@ jobs: # Check if requirements.txt was modified in last commit if git diff --name-only HEAD~1 HEAD | grep -q "^requirements.txt$"; then if [ "$AUTHOR" != "github-actions[bot]" ]; then - echo "❌ ERROR: You may NOT edit `requirements.txt`" - echo "To pin dependencies, use `poetry add `." - echo "Please remove your changes to requirements.txt, so the robot can maintain it." + echo "::error::You may NOT edit `requirements.txt`" + echo "::notice::To pin dependencies, use 'poetry add '." + echo "::warning::Please remove your changes to requirements.txt, so the robot can maintain it." + echo "To bypass this check (admins only), psh a commit that does not modify 'requirements.txt'." exit 1 fi fi From 546a8152b6b7c6a03b754e88def7beb65d10414d Mon Sep 17 00:00:00 2001 From: Wesley B <62723358+wesleyboar@users.noreply.github.com> Date: Mon, 5 Jan 2026 13:32:34 -0600 Subject: [PATCH 08/12] Revert "fix: bypass error, cuz req's edit was via merge" This reverts commit faeae2218b04de95e7ea84b2f004ac94075a0061. --- .github/workflows/validate-requirements.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/validate-requirements.yml b/.github/workflows/validate-requirements.yml index 9f1d8259..420c6133 100644 --- a/.github/workflows/validate-requirements.yml +++ b/.github/workflows/validate-requirements.yml @@ -22,10 +22,9 @@ jobs: # Check if requirements.txt was modified in last commit if git diff --name-only HEAD~1 HEAD | grep -q "^requirements.txt$"; then if [ "$AUTHOR" != "github-actions[bot]" ]; then - echo "::error::You may NOT edit `requirements.txt`" - echo "::notice::To pin dependencies, use 'poetry add '." - echo "::warning::Please remove your changes to requirements.txt, so the robot can maintain it." - echo "To bypass this check (admins only), psh a commit that does not modify 'requirements.txt'." + echo "❌ ERROR: You may NOT edit `requirements.txt`" + echo "To pin dependencies, use `poetry add `." + echo "Please remove your changes to requirements.txt, so the robot can maintain it." exit 1 fi fi From 5de9d183d4a506561262f27d2f9d692c925ea29f Mon Sep 17 00:00:00 2001 From: Wesley B <62723358+wesleyboar@users.noreply.github.com> Date: Mon, 5 Jan 2026 14:40:30 -0600 Subject: [PATCH 09/12] refactor: [AI] compare author of req's change --- .../actions/validate-requirements/action.yml | 31 +++++++ .../actions/validate-requirements/check.sh | 83 +++++++++++++++++++ .../commit-messages/requirements_update.txt | 1 + .github/workflows/requirements-validate.yml | 23 +---- .github/workflows/requirments-sync.yml | 9 +- .github/workflows/validate-requirements.yml | 21 ++--- 6 files changed, 130 insertions(+), 38 deletions(-) create mode 100644 .github/actions/validate-requirements/action.yml create mode 100644 .github/actions/validate-requirements/check.sh create mode 100644 .github/commit-messages/requirements_update.txt diff --git a/.github/actions/validate-requirements/action.yml b/.github/actions/validate-requirements/action.yml new file mode 100644 index 00000000..16f4d659 --- /dev/null +++ b/.github/actions/validate-requirements/action.yml @@ -0,0 +1,31 @@ +name: "Validate requirements" + +description: | + Reject changes to `requirements.txt` unless the latest commit that touched + the file in the compare range was authored by an allowed bot. + +inputs: + allowed_bots: + description: "Comma-separated list of allowed bot author names" + required: false + default: "github-actions[bot],dependabot[bot]" + commit_message_file: + description: "Path to file that contains canonical commit message (exact match)" + required: false + default: ".github/commit-messages/requirements_update.txt" + +runs: + using: "composite" + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run requirements check + shell: bash + env: + ALLOWED_BOTS: ${{ inputs.allowed_bots }} + COMMIT_MSG_FILE: ${{ inputs.commit_message_file }} + run: | + bash ./.github/actions/validate-requirements/check.sh \ No newline at end of file diff --git a/.github/actions/validate-requirements/check.sh b/.github/actions/validate-requirements/check.sh new file mode 100644 index 00000000..c83f855a --- /dev/null +++ b/.github/actions/validate-requirements/check.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env bash +set -euo pipefail +IFS=$'\n\t' + +ALLOWED_BOTS="${ALLOWED_BOTS:-github-actions[bot],dependabot[bot]}" + +# Determine the comparison range +is_pr=; +if [ "${GITHUB_EVENT_NAME:-}" = "pull_request" ]; then + is_pr=1 +fi +has_base_ref=; +if [ -n "${GITHUB_BASE_REF:-}" ]; then + has_base_ref=1 +fi +origin_base_ref_exists=; +if [ -n "${GITHUB_BASE_REF:-}" ] && git rev-parse --verify "origin/${GITHUB_BASE_REF}" >/dev/null 2>&1; then + origin_base_ref_exists=1 +fi +if [ -n "$is_pr" ] && [ -n "$has_base_ref" ] && [ -n "$origin_base_ref_exists" ]; then + BASE_REF="$(git rev-parse "origin/${GITHUB_BASE_REF}")" + COMPARE_RANGE="$BASE_REF...HEAD" +else + COMPARE_RANGE="HEAD~1..HEAD" +fi + +# If requirements.txt changed in comparison range, ensure latest change's commit +# was authored by an allowed bot, or the latest commit message exactly matches +# the canonical bot commit message, or fallback to any bot-authored commit. +if git diff --name-only $COMPARE_RANGE | grep -q "^requirements.txt$"; then + latest_sha=$(git log -1 --pretty=format:'%H' $COMPARE_RANGE -- requirements.txt || true) + + if [ -z "$latest_sha" ]; then + echo "::error::No commits found touching requirements.txt in range $COMPARE_RANGE" + exit 1 + fi + + latest_author=$(git show -s --format='%an' "$latest_sha") + latest_committer=$(git show -s --format='%cn' "$latest_sha") + latest_message=$(git show -s --format='%B' "$latest_sha") + + echo "Latest commit touching requirements.txt: $latest_sha" + echo " author: $latest_author" + echo " committer: $latest_committer" + echo " message: $(echo "$latest_message" | head -n1)" + + # Build a grep-friendly regex from comma-separated allowed bots + allowed_regex=$(echo "$ALLOWED_BOTS" | sed 's/,/\\|/g') + + # 1) author or committer is allowed bot + if echo "$latest_author" | grep -qE "^($allowed_regex)$" || echo "$latest_committer" | grep -qE "^($allowed_regex)$"; then + echo "Latest change by allowed bot: OK" + exit 0 + fi + + # 2) latest commit message exactly equals canonical message + if [ -n "${COMMIT_MSG_FILE:-}" ] && [ -f "$COMMIT_MSG_FILE" ]; then + canonical_msg=$(sed -n '1p' "$COMMIT_MSG_FILE" | tr -d '\r') + # Compare exact first-line equality (trim trailing newline/space) + latest_first_line=$(echo "$latest_message" | head -n1 | sed -e 's/[[:space:]]*$//') + if [ "$latest_first_line" = "$canonical_msg" ]; then + echo "Latest commit message exactly matches canonical bot message: OK" + exit 0 + fi + fi + + # 3) fallback: any commit touching the file in range has allowed bot author or committer + if git log $COMPARE_RANGE --pretty=format:'%an|%cn' -- requirements.txt | grep -qE "($allowed_regex)"; then + echo "Found a bot-authored/committed change touching requirements.txt in the range: OK" + exit 0 + fi + + echo "::error::You may NOT edit 'requirements.txt'" + echo "::warning::Undo your changes to requirements.txt, so robot can maintain it." + echo "::notice::To pin dependencies, use 'poetry add '." + echo "Latest commit: $latest_sha" + echo "Latest author: $latest_author" + echo "Latest committer: $latest_committer" + echo "Latest message: $(echo "$latest_message" | head -n1)" + exit 1 +fi + +echo "'requirements.txt' unchanged (or latest change by allowed bot/marker)" diff --git a/.github/commit-messages/requirements_update.txt b/.github/commit-messages/requirements_update.txt new file mode 100644 index 00000000..322db8b8 --- /dev/null +++ b/.github/commit-messages/requirements_update.txt @@ -0,0 +1 @@ +chore: auto-update requirements.txt [bot] diff --git a/.github/workflows/requirements-validate.yml b/.github/workflows/requirements-validate.yml index de140da0..c0ba5acb 100644 --- a/.github/workflows/requirements-validate.yml +++ b/.github/workflows/requirements-validate.yml @@ -19,23 +19,8 @@ jobs: with: fetch-depth: 0 # full history - - name: Check if requirements.txt was modified unexpectedly - run: | - # For PRs, check against base branch - # For pushes, check last commit - if [ "${{ github.event_name }}" = "pull_request" ]; then - BASE_REF="${{ github.event.pull_request.base.sha }}" - COMPARE_RANGE="$BASE_REF...HEAD" - else - COMPARE_RANGE="HEAD~1..HEAD" - fi - - # If requirements.txt modified in that range - if git diff --name-only $COMPARE_RANGE | grep -q "^requirements.txt$"; then - echo "::error::You may NOT edit 'requirements.txt'" - echo "::warning::Undo your changes to requirements.txt, so robot can maintain it." - echo "::notice::To pin dependencies, use 'poetry add '." - exit 1 - fi + - name: Validate requirements + uses: ./.github/actions/validate-requirements + with: + allowed_bots: 'github-actions[bot],dependabot[bot]' - echo "'requirements.txt' unchanged (or only changed by bot)" diff --git a/.github/workflows/requirments-sync.yml b/.github/workflows/requirments-sync.yml index e9cab15a..ef828b6a 100644 --- a/.github/workflows/requirments-sync.yml +++ b/.github/workflows/requirments-sync.yml @@ -83,6 +83,9 @@ jobs: if git diff --staged --quiet; then echo "No changes to requirements.txt" else - git commit -m "chore: auto-update requirements.txt [bot]" - git push - fi + commit_msg=$(sed -n '1p' .github/commit-messages/requirements_update.txt 2>/dev/null | tr -d '\r') + if [ -z "$commit_msg" ]; then + echo "::error::Missing or empty canonical commit message file: .github/commit-messages/requirements_update.txt" + exit 1 + fi + git commit -m "$commit_msg" diff --git a/.github/workflows/validate-requirements.yml b/.github/workflows/validate-requirements.yml index 420c6133..7640e5fa 100644 --- a/.github/workflows/validate-requirements.yml +++ b/.github/workflows/validate-requirements.yml @@ -12,21 +12,10 @@ jobs: - name: Checkout code uses: actions/checkout@v4 with: - fetch-depth: 2 + fetch-depth: 0 - - name: Check if requirements.txt was modified unexpectedly - run: | - # Get author of last commit - AUTHOR=$(git log -1 --pretty=format:'%an') - - # Check if requirements.txt was modified in last commit - if git diff --name-only HEAD~1 HEAD | grep -q "^requirements.txt$"; then - if [ "$AUTHOR" != "github-actions[bot]" ]; then - echo "❌ ERROR: You may NOT edit `requirements.txt`" - echo "To pin dependencies, use `poetry add `." - echo "Please remove your changes to requirements.txt, so the robot can maintain it." - exit 1 - fi - fi + - name: Validate requirements + uses: ./.github/actions/validate-requirements + with: + allowed_bots: 'github-actions[bot],dependabot[bot]' - echo "✅ SUCCESS: `requirements.txt` not modified unexpectedly" From 6c2e4440fd2571d6b9dc26174137cc3f60185193 Mon Sep 17 00:00:00 2001 From: Wesley B <62723358+wesleyboar@users.noreply.github.com> Date: Mon, 5 Jan 2026 14:49:23 -0600 Subject: [PATCH 10/12] fix: [AI] compare author of req's change --- .github/actions/validate-requirements/check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/validate-requirements/check.sh b/.github/actions/validate-requirements/check.sh index c83f855a..253ef58d 100644 --- a/.github/actions/validate-requirements/check.sh +++ b/.github/actions/validate-requirements/check.sh @@ -5,15 +5,15 @@ IFS=$'\n\t' ALLOWED_BOTS="${ALLOWED_BOTS:-github-actions[bot],dependabot[bot]}" # Determine the comparison range -is_pr=; +is_pr="" if [ "${GITHUB_EVENT_NAME:-}" = "pull_request" ]; then is_pr=1 fi -has_base_ref=; +has_base_ref="" if [ -n "${GITHUB_BASE_REF:-}" ]; then has_base_ref=1 fi -origin_base_ref_exists=; +origin_base_ref_exists="" if [ -n "${GITHUB_BASE_REF:-}" ] && git rev-parse --verify "origin/${GITHUB_BASE_REF}" >/dev/null 2>&1; then origin_base_ref_exists=1 fi From dd306e19b22a7561eada6c99f908a7cbf8d1a520 Mon Sep 17 00:00:00 2001 From: Wesley B <62723358+wesleyboar@users.noreply.github.com> Date: Mon, 5 Jan 2026 14:56:56 -0600 Subject: [PATCH 11/12] fix: [AI] missing fi --- .github/workflows/requirments-sync.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/requirments-sync.yml b/.github/workflows/requirments-sync.yml index ef828b6a..51ce2131 100644 --- a/.github/workflows/requirments-sync.yml +++ b/.github/workflows/requirments-sync.yml @@ -89,3 +89,4 @@ jobs: exit 1 fi git commit -m "$commit_msg" + fi From f1ff43e6352061c8ecd417c8c3453a37975a60d6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 5 Jan 2026 23:23:58 +0000 Subject: [PATCH 12/12] chore: auto-update requirements.txt [bot] --- requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.txt b/requirements.txt index 9bb7d560..38817e26 100644 --- a/requirements.txt +++ b/requirements.txt @@ -115,9 +115,9 @@ mkdocs-exclude-search==0.6.6 ; python_version >= "3.10" and python_version < "3. mkdocs-include-markdown-plugin==5.1.0 ; python_version >= "3.10" and python_version < "3.13" \ --hash=sha256:4a1b8d79a0e1b6fd357ca8013a6d1701c755ada4acb74ee97b0642d1afe6756e \ --hash=sha256:e9ca188ab1d86f5fc4a6b96ce8c85acf6e25f114897868041056ec7945f29f65 -mkdocs-tacc==1.0.1 ; python_version >= "3.10" and python_version < "3.13" \ - --hash=sha256:08b8e0b1ab5bdcdfea493c2f18077723b36569afdd71a23a5d097fb7942799ea \ - --hash=sha256:f14ac8d3833bb43447cdb91210f6179e85fe5bef92f7d948ac9c50e41ec8e6c0 +mkdocs-tacc==1.0.2 ; python_version >= "3.10" and python_version < "3.13" \ + --hash=sha256:2beb36590dc00ec8f815ba59bcf6a3e876ffe2106bcc4a235db9ea04cb2a1601 \ + --hash=sha256:9eb65c4701206fdc17ebbc2555c2750ef3de8de64ed3142b0e45f5df32390e4e mkdocs==1.4.3 ; python_version >= "3.10" and python_version < "3.13" \ --hash=sha256:5955093bbd4dd2e9403c5afaf57324ad8b04f16886512a3ee6ef828956481c57 \ --hash=sha256:6ee46d309bda331aac915cd24aab882c179a933bd9e77b80ce7d2eaaa3f689dd